SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

5 & 8 November 2002 Breeders' Cup Investigation Continues

The FBI has joined the investigation into whether three former fraternity brothers were involved in a scheme to manipulate off-track betting computers to guarantee a large win. One of the men, who worked for Autotote, was fired a week ago. The three men allegedly exchanged e-mail in the weeks before the suspicious October 26th bets; the Autotote employee may have altered the bets after the first few races were run. Officials were uncertain whether the Autotote system generates reports when a "superuser" alters bets or other files. -http://espn.go.com/horse/news/2002/1105/1456465.html-http://www.msnbc.com/news/832689.asp-http://www.msnbc.com/news/828779.asp

12 November 2002 One Week Left For National Cyber Security Strategy Comments

In one week, the open comment period closes for the National Strategy to Secure Cyberspace. At the end of this issue of NewsBites (right after the VIRUSES stories), we've included several suggestions developed by some of the people who have taken a lot of time to review the strategy. Read the strategy, take a look at the suggestions, and then express your thoughts. Whether or not the ideas presented here are consistent with your views, please express your suggestions, support and criticism. It's rare that policy makers ask for input from the technical community. It would be a shame to waste the opportunity. -http://www.whitehouse.gov/pcipb/

4 November 2002 Financial Sector Cyber Incidents Often Go Unreported

World Bank security expert Tom Kellermann cites studies that indicate as many as 80% of cybersecurity breaches at financial institutions go unreported. Banks and other financial institutions are often more willing to pay extortionists than they are to go public with information that could damage their reputation. [Editor's Notes (Ed Skoudis, Guest Editor): Based on what I've seen in the financial sector, a lot of this 80% number depends on how you define a "breach." Sure, financial institutions don't report every scan they get, or every time someone finds a slight flaw in a web app. That's a lot of the 80% right there. They are only required to report incidents to the government that materially impact their customers, which is a very small portion of all attacks indeed. That said, cyber extortion does occur, just not at the rate implied in the article. I have worked cases where brokerage firms did pay extortionists to defuse logic bombs so that they could continue trading. (Schultz): Information security staff members at financial institutions are undoubtedly chuckling as they read this news item--80 percent is certainly a gross underestimate! (Murray): Though the publicity for banks is often significantly more damaging than the original event (we have had at least one bank fail because of the publicity of a loss that they could easily absorb), it is a felony for banks to conceal material loses from the regulators. This is the only industry for which this true. While they must tell the regulators, they need not and should not tell the press. I do not know of any banks that do or would pay extortion or any responsible security consultants that would advise them to do so. ]************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Special Bundle Pricing on RealSecure(r) for Nokia latest technology
http://www.sans.org/cgi-bin/sanspromo/NB99(2) IDS CRYING WOLF? Stop false positives. Stop scouring logs.
FREE white paper. http://www.sans.org/cgi-bin/sanspromo/NB100***********************************************************************

THE REST OF THE WEEK'S NEWS

14 November 2002 Cybersec Funding Bill Goes to President

H.R. 3394, which allocates $903 million for cybersecurity research, was approved today on a voice vote. The bill, also known as the Cyber Security Research and Development Act (CSRDA), includes $25 million earmarked for increasing the number of qualified college-level cyber-security instructors and $144 for establishing Computer and Network Security Research Centers; it also requires the National Institute of Standards and Technology (NIST) to create cybersecurity checklists for use by government agencies. However, on urging from the computer industry, Congress removed provisions asking federal agencies to use the checklists. -http://www.atnewyork.com/news/article.php/1499391[Editor's Note (Paller): Don't start spending the money yet. The appropriations committees must specifically approve funds before they can be spent. Any combination of a war in Iraq, prescription drug measures, and additional tax cuts will put enormous pressure on Congress to trim discretionary spending. ]

3 November 2002 National Cyber Forensics and Training Alliance

The National Cyber Forensics and Training Alliance in Pittsburgh will train investigators in methods of tracking down cyber evidence. The alliance is comprised of federal and local law enforcement agencies, businesses and institutions of higher education in Pittsburgh and West Virginia. Other such alliances exist around the country, but the one in Pittsburgh is the first to have a training center. -http://www.phillyburbs.com/couriertimes/news/news/1103cybersleuths.htm[Editor's Note (Northcutt):I hope this project succeeds and that they reach out and team with the existing and respected High Tech Crime Investigation Association, -http://www.htcia.org/ that has been serving a similar function for years without government funding. More information about the NCFTA alliance can be found at: -http://www.geocities.com/teemukah/ncfta.html Alliances like this must be part of the government's plan to disburse the money from the Cybersecurity Funding Bill (described in the previous story). ]

11 November 2002 Optical Antenna Improves Wireless Security

British research scientists have developed an optical antenna they say can increase wireless network security. The antenna transmits and receives infrared signals instead of radio signals, and so can be more focused and controlled. -http://news.com.com/2100-1033-965239.html

11 November 2002 US Military Site Hacker to be Indicted

A British man is likely to be indicted very soon in federal courts in New Jersey and northern Virginia on charges stemming from a series of cyberattacks against U.S. military computer networks. Authorities are considering trying to have the man extradited to the U.S. -http://www.msnbc.com/news/833723.asp?0dm=C228T

11 November 2002 Some Interior Systems Still Disconnected

Almost a year after a federal judge ordered the Department of the Interior disconnected from the Internet due to serious cyber security problems, 6 per cent of its systems remain off line; most of those systems deal with the Department's Bureau of Indian Affairs trust funds. -http://www.fcw.com/fcw/articles/2002/1111/web-interior-11-11-02.asp

8 November 2002 Churchill Downs Implements Security Procedures

In the wake of a suspiciously large payoff for a series of bets made at the Breeders' Cup, Churchill Down, Inc. is establishing a number of security procedures in its computerized betting system. Automatic betting will be locked out at least a minute before the start of the race to allow final odds to be tabulated and posted prior to the start of the race. Bets will only be accepted from hub facilities that have front-end recording devices that leave audit trails, and winning bets in multiple simulcasts races will be reviewed. -http://www.msnbc.com/news/832687.asp

8 November 2002 UK Company to Use Signature Capture Biometrics

UK building concern Nationwide plans to use signature capture biometric technology to help prevent fraud. Customers will be asked to sign their names up to six times for the system to decide that it has an accurate picture of that individual's writing style, including how the pen is held, what type of pressure is exerted and how quickly that person writes. -http://news.bbc.co.uk/2/hi/technology/2420143.stm[Editor's Note (Schultz): I wonder how willing customers will be to sign their names up to six times when competitor banks require less rigorous authentication procedures. Human factors/useability considerations are among the most important, yet neglected variables in information security today. ]

7 November 2002 Michigan Man Pleads Guilty to Stealing Files from Former Employer

Gregg Wysocki of Rochester Hills, Michigan has pleaded guilty to criminal computer intrusion. Wysocki could receive a prison sentence of up to five years and be ordered to pay a $10,000 fine for stealing files from his previous employer and using the information they contained to get a job with a competitor. -http://www.usatoday.com/tech/news/2002-11-07-computer-intrusion_x.htm[Editor's Note (Shpantzer): Some organizations make it a policy to forensically image the computers of departing employees, whether they quit or were fired. This allows them to come back later to a properly archived image and analyze it for potential evidence. ]

6 November 2002 e-Mail from Certain Business Sectors More Likely to Carry Viruses

According to a MessageLabs report, e-mails from retailing and leisure companies are at least seven times more likely to contain a virus than are e-mails from accounting and legal businesses. The cause is suspected to be the fact that retailing and leisure industries have a closer relationship with home users, who are generally not careful about computer security. The study showed the retail and leisure industry with 1 in 50 infected e-mails, finance and banking with 1 in 101, and accounting and legal with less than 1 in 350. -http://www.zdnet.com.au/newstech/security/story/0,2000024985,20269688,00.htm

6 November 2002 Bermudan Bank Site Defaced

Hackers may have exploited a Microsoft operating system vulnerability to deface two Bermudan websites, including that of the Bank of Butterfield. Bank officials say no customer data was compromised. The site hosts are recommending that their clients who work with data that needs to be protected switch to their Unix based hosting platform. -http://www.bermudasun.bm/cgi-local/edpull.pl?cat=01News&ord=03&ed=2002-11-06[Editor's Note Schultz ]: The recommendation in this news item should add a considerable amount of fuel to the "whose operating system is most secure" debate. ]

6 November 2002 CD Copy Protection Won't Work

Princeton University computer scientist John Halderman says that CD copy protection is futile because both software and hardware are constantly being upgraded. Halderman suggests that the music industry reduce the cost of new CDs to the point where it would be less expensive to buy one than to make a copy. -http://www.newscientist.com/news/news.jsp?id=ns99993020[Editor's Note (Shpantzer): Making CDs available at a lesser cost than copying them is not feasible. However there are now reasonably priced internet-based music distribution sites such as PressPlay.com and Listen.com. These are not free nor as cheap as making a copy, but they are moving in the right direction for giving honest people a way to get the custom download experience. ]

The UK government's Parliamentary Communications Directorate is inviting bids for a data back-up and disaster recovery system to replace their present tape systems. If it works well, other departments are likely to implement similar systems. -http://www.vnunet.com/News/1136621

5 November 2002 Phone Phreakers Rack Up $11,000 Bill in Ohio

Hackers guessed an Ohio woman's voice mail password, and recorded a message that would sound to operators as if someone were accepting charges for a collect call so that they could use her line to make lengthy international calls. Her one-month phone bill was nearly $11,000, that she did not have to pay. People should choose voice mail passwords that are hard to guess and should change them frequently; they should also consider blocking or limiting access to international calls. -http://www.ohio.com/mld/ohio/news/local/4446396.htm

5 November 2002 Self-Healing Database Software

Researchers at Pennsylvania State University have developed software that allows a database under attack to repair itself even as the attack is occurring. The software monitors database user activity; if it appears suspicious, the user is redirected to a "dummy" database. If it turns out that the concerns were unfounded, the user's activity can still be merged into the true database. -http://www.washtimes.com/upi-breaking/20021104-042833-3688r.htm

5 November 2002 Mozilla Vulnerabilities

Versions of the open source browser Mozilla prior to 1.0.1 contain a half-dozen security vulnerabilities that could be exploited to execute code and read files from hard drives. Red Hat suggests that users of vulnerable versions should update their software. -http://www.theregister.co.uk/content/55/27934.html

4,5 & 6 November 2002 e-Voting Needs Audit Trails

The increased use of e-voting in the recent election has raised concerns about the security of the systems. Some voters were reporting that the systems were tallying their votes incorrectly. Despite assurances of encryption, digital signatures and backups from system providers, critics say the systems are not reliable enough. The software they run on is proprietary and thus unavailable for review. Current systems provide no audit trail to check for vote tampering or to ensure that people's votes were counted accurately. Cryptographer David Chaum has developed a system that gives voters encrypted receipts they can use to check whether or not their vote was tallied properly. -http://www.cnn.com/2002/TECH/ptech/11/05/touch.screen/index.html-http://www.computerworld.com/governmenttopics/government/story/0,10801,75674,00.html-http://www.thestar.com/NASApp/cs/ContentServer? pagename=thestar/Layout/Article_Type1&c=Article&cid=1035773962641&call_page=TS_Business &call_pageid=968350072197&call_pagepath=Business/News&col=969048863851 [Editor's Note (Murray): The problem of ensuring the voter that his ballot has been tallied properly while not compromising the secrecy of that ballot, is a fundamental problem in all systems. No system has ever done it well, least of all the voting machines that we have been using for much of this century. However, we tend to expect both higher integrity and demonstrability of novel technology. ]

4 November 2002 Researcher Develops Prime Number Determination Method

Manindra Agrawal, a theoretical computer scientist in India, has come up with a method for determining whether or not very large numbers are prime. While his findings have "no immediate practical application," Agrawal may eventually address the problem of factoring very large numbers. The product of two very large prime numbers is the basis for some Internet encryption. -http://www.msnbc.com/news/830300.asp

6 & 7 November 2002 Roron Worm

The Roron, or Oror.B worm spreads through e-mail, shared drives and the Kazaa peer-to-peer file-sharing network. The worm's payload includes installing several tools that allow infected machines to be controlled by IRC messages to launch denial of service attacks. Users become infected only if they manually launch the attachment. Roron also searches for and deactivates some anti-virus software and tries to delete it; in certain circumstances, Roron deletes files from hard drives. -http://news.com.com/2100-1001-964809.html-http://www.net-security.org/virus_news.php?id=118

POSSIBLE THOUGHTS FOR THE NATIONAL STRATEGY

POSSIBLE THOUGHTS FOR THE NATIONAL STRATEGY

If any of these are consistent with your views, please grab them and email them to the people collecting comments at feedback@cybersecurity.gov. Don't forget to tell them who you are, where you work, and what you do. Whether or not these ideas are consistent with your views, please express your suggestions, support and criticism. It's rare that policy makers ask for input. It would be a shame to waste the opportunity. 1. From the Center For Democracy and Technology The government needs to get it own house in order - it needs to force agencies to do the right things. In this regard, we believe that the National Strategy is not strong enough. We urge the Administration to strengthen the power of OMB to mandate security [but only for government agencies ]. 2. From leaders of the networking community ISPs are the first line of defense when a cyber attack is underway. However, the ISP community is at great risk of losing the few remaining security experts who are capable of taking action quickly. If the Federal government hopes to have a viable Rapid Response capability, it must find a way to bolster the security staff and tools available at the medium to large ISPs. 3. From another wise person There is pressure from some people to remove the home user and small business user from the National Strategy because, they say, it is silly for a strategy dealing with terrorism to even consider the home user. When the Leaves worm took over and controlled more than 16,000 home computers, its creators had enough power to put any site on the Internet out of business including major communications facilities serving the military and emergency response systems. Home users control more fire power, in the aggregate, than business users, and they have less security, by far. Please continue to include them in the plan. 4. From SANS Research Office (Alan Paller) One of the most powerful ideas laid out in the draft National Strategy is to use the government's combined buying power to provide economic incentives for vendors to deliver and maintain safer systems. The draft Strategy repeated the idea in the section dealing with industry groups. Both government and industry groups can have a profound impact. Working together they can move mountains. Please put added emphasis in the Strategy on government-wide and industry-wide purchasing using minimum security standards.